This PR adds a new public key to amazon-ssm-agent.gpg based on the latest info on the Verifying the signature of the SSM Agent doc. The ssm-agent-signature-verify() function in the ecs-anywhere-install.sh is also updated to treat both 8108A07A9EBE248E3F1C63F254F4F56E693ECA21 and 2BC7C7C267BBD505EAA491E6DD81A61756BAA549 as valid fingerprints.
Implementation details
Add a new key to amazon-ssm-agent.gpg
Update ssm-agent-signature-verify() in the ecs-anywhere-install.sh
Testing
Modified curl-helper "$dir/amazon-ssm-agent.gpg" "https://raw.githubusercontent.com/aws/amazon-ecs-init/master/scripts/amazon-ssm-agent.gpg" in the ecs-anywhere-install.sh to get the updated amazon-ssm-agent.gpg from the testing branch. See the change here.
Ubuntu amd 64 instance in us-west-2
Launched an ubuntu amd 64 instance (AMI name: ubuntu-focal-20.04-amd64-minimal-20210817)
Uninstalled existing amazon-ssm-agent using sudo snap remove amazon-ssm-agent
Ran curl --proto "https" -o "/tmp/ecs-anywhere-install.sh" "https://amazon-ecs-agent.s3.amazonaws.com/ecs-anywhere-install-latest.sh" to get ecs-anywhere-install.sh
Modified ecs-anywhere-install.sh to as mentioned.
Ran bash /tmp/ecs-anywhere-install.sh --region "us-west-2" --cluster "P61677231" --activation-id "xxx" --activation-code "xxx" to execute the updated script
##########################
# Trying to install ssm agent ...
##########################
Trying to verify the signature of amazon-ssm-agent package ...
/usr/bin/gpg
gpg: key 54F4F56E693ECA21: 1 signature not checked due to a missing key
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 54F4F56E693ECA21: public key "SSM Agent ssm-agent-signer@amazon.com" imported
gpg: key DD81A61756BAA549: 1 signature not checked due to a missing key
gpg: key DD81A61756BAA549: public key "SSM Agent ssm-agent-signer@amazon.com" imported
gpg: Total number processed: 2
gpg: imported: 2
gpg: no ultimately trusted keys found
gpg: Signature made Wed Mar 9 21:49:55 2022 UTC
gpg: using RSA key 54F4F56E693ECA21
gpg: Good signature from "SSM Agent ssm-agent-signer@amazon.com" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8108 A07A 9EBE 248E 3F1C 63F2 54F4 F56E 693E CA21
amazon-ssm-agent GPG verification passed. Install the amazon-ssm-agent.
ok
##########################
Selecting previously unselected package amazon-ssm-agent.
(Reading database ... 50563 files and directories currently installed.)
Preparing to unpack .../tmp.Lg7PynSTc6/ssm-agent.deb ...
Preparing for install
-> Systemd detected
active
Failed to stop amazon-ssm-agent.service: Unit amazon-ssm-agent.service not loaded.
Unpacking amazon-ssm-agent (3.1.1080.0-1) ...
Setting up amazon-ssm-agent (3.1.1080.0-1) ...
Starting agent
Created symlink /etc/systemd/system/multi-user.target.wants/amazon-ssm-agent.service → /lib/systemd/system/amazon-ssm-agent.service.
##########################
Trying to Register SSM agent ...
Error occurred fetching the seelog config file path: open /etc/amazon/ssm/seelog.xml: no such file or directory
Initializing new seelog logger
New Seelog Logger Creation Complete
2022-03-23 06:11:42 WARN Could not read InstanceFingerprint file: InstanceFingerprint does not exist.
2022-03-23 06:11:42 INFO No initial fingerprint detected, generating fingerprint file...
2022-03-23 06:11:42 INFO Successfully registered the instance with AWS SSM using Managed instance-id: mi-0dd8361fc63154635
SSM agent has been registered.
ok
##########################
3. Ubuntu amd 64 instance in eu-north-1
* Similar steps as "2. Ubuntu amd 64 instance in us-west-2"
* Result: `Primary key fingerprint: 2BC7 C7C2 67BB D505 EAA4 91E6 DD81 A617 56BA A549` is used.
##########################
Trying to install ssm agent ...
##########################
Trying to verify the signature of amazon-ssm-agent package ...
/usr/bin/gpg
gpg: key 54F4F56E693ECA21: 1 signature not checked due to a missing key
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 54F4F56E693ECA21: public key "SSM Agent ssm-agent-signer@amazon.com" imported
gpg: key DD81A61756BAA549: 1 signature not checked due to a missing key
gpg: key DD81A61756BAA549: public key "SSM Agent ssm-agent-signer@amazon.com" imported
gpg: Total number processed: 2
gpg: imported: 2
gpg: no ultimately trusted keys found
gpg: Signature made Fri Mar 18 22:23:41 2022 UTC
gpg: using RSA key DD81A61756BAA549
gpg: Good signature from "SSM Agent ssm-agent-signer@amazon.com" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2BC7 C7C2 67BB D505 EAA4 91E6 DD81 A617 56BA A549
amazon-ssm-agent GPG verification passed. Install the amazon-ssm-agent.
ok
##########################
New tests cover the changes: no
### Description for the changelog
Add a new public key to amazon-ssm-agent.gpg and update ecs-anywhere-install.sh
### Licensing
This contribution is under the terms of the Apache 2.0 License: yes
Summary
This PR adds a new public key to amazon-ssm-agent.gpg based on the latest info on the Verifying the signature of the SSM Agent doc. The
ssm-agent-signature-verify()
function in the ecs-anywhere-install.sh is also updated to treat both8108A07A9EBE248E3F1C63F254F4F56E693ECA21
and2BC7C7C267BBD505EAA491E6DD81A61756BAA549
as valid fingerprints.Implementation details
ssm-agent-signature-verify()
in the ecs-anywhere-install.shTesting
curl-helper "$dir/amazon-ssm-agent.gpg" "https://raw.githubusercontent.com/aws/amazon-ecs-init/master/scripts/amazon-ssm-agent.gpg"
in the ecs-anywhere-install.sh to get the updated amazon-ssm-agent.gpg from the testing branch. See the change here.sudo snap remove amazon-ssm-agent
curl --proto "https" -o "/tmp/ecs-anywhere-install.sh" "https://amazon-ecs-agent.s3.amazonaws.com/ecs-anywhere-install-latest.sh"
to get ecs-anywhere-install.shbash /tmp/ecs-anywhere-install.sh --region "us-west-2" --cluster "P61677231" --activation-id "xxx" --activation-code "xxx"
to execute the updated scriptPrimary key fingerprint: 8108 A07A 9EBE 248E 3F1C 63F2 54F4 F56E 693E CA21
is used.##########################
Trying to verify the signature of amazon-ssm-agent package ...
/usr/bin/gpg gpg: key 54F4F56E693ECA21: 1 signature not checked due to a missing key gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 54F4F56E693ECA21: public key "SSM Agent ssm-agent-signer@amazon.com" imported gpg: key DD81A61756BAA549: 1 signature not checked due to a missing key gpg: key DD81A61756BAA549: public key "SSM Agent ssm-agent-signer@amazon.com" imported gpg: Total number processed: 2 gpg: imported: 2 gpg: no ultimately trusted keys found gpg: Signature made Wed Mar 9 21:49:55 2022 UTC gpg: using RSA key 54F4F56E693ECA21 gpg: Good signature from "SSM Agent ssm-agent-signer@amazon.com" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8108 A07A 9EBE 248E 3F1C 63F2 54F4 F56E 693E CA21 amazon-ssm-agent GPG verification passed. Install the amazon-ssm-agent.
ok
##########################
Selecting previously unselected package amazon-ssm-agent. (Reading database ... 50563 files and directories currently installed.) Preparing to unpack .../tmp.Lg7PynSTc6/ssm-agent.deb ... Preparing for install -> Systemd detected active Failed to stop amazon-ssm-agent.service: Unit amazon-ssm-agent.service not loaded. Unpacking amazon-ssm-agent (3.1.1080.0-1) ... Setting up amazon-ssm-agent (3.1.1080.0-1) ... Starting agent Created symlink /etc/systemd/system/multi-user.target.wants/amazon-ssm-agent.service → /lib/systemd/system/amazon-ssm-agent.service.
##########################
Trying to Register SSM agent ...
Error occurred fetching the seelog config file path: open /etc/amazon/ssm/seelog.xml: no such file or directory Initializing new seelog logger New Seelog Logger Creation Complete 2022-03-23 06:11:42 WARN Could not read InstanceFingerprint file: InstanceFingerprint does not exist. 2022-03-23 06:11:42 INFO No initial fingerprint detected, generating fingerprint file... 2022-03-23 06:11:42 INFO Successfully registered the instance with AWS SSM using Managed instance-id: mi-0dd8361fc63154635 SSM agent has been registered.
ok
##########################
##########################
Trying to install ssm agent ...
##########################
Trying to verify the signature of amazon-ssm-agent package ...
/usr/bin/gpg gpg: key 54F4F56E693ECA21: 1 signature not checked due to a missing key gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 54F4F56E693ECA21: public key "SSM Agent ssm-agent-signer@amazon.com" imported gpg: key DD81A61756BAA549: 1 signature not checked due to a missing key gpg: key DD81A61756BAA549: public key "SSM Agent ssm-agent-signer@amazon.com" imported gpg: Total number processed: 2 gpg: imported: 2 gpg: no ultimately trusted keys found gpg: Signature made Fri Mar 18 22:23:41 2022 UTC gpg: using RSA key DD81A61756BAA549 gpg: Good signature from "SSM Agent ssm-agent-signer@amazon.com" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2BC7 C7C2 67BB D505 EAA4 91E6 DD81 A617 56BA A549 amazon-ssm-agent GPG verification passed. Install the amazon-ssm-agent.
ok
##########################